commit ee13e8919c20de5860a510e91fac71fd5a7e9b8d
author philipel <philipel@webrtc.org> Wed Aug 02 02:07:48 2017 -0700
committer Commit Bot <commit-bot@chromium.org> Wed Aug 02 09:07:48 2017 +0000
tree cc4a18332b3f5388bb117cb7995edd19b90e829e
parent 6f1f8e972df5226233d45fb46e72dc2ad28f52e6

Fix off-by-one bugs in video_coding::PacketBuffer when the buffer is filled with a single frame.

BUG=webrtc:8028

Review-Url: https://codereview.webrtc.org/2993513002
Cr-Commit-Position: refs/heads/master@{#19209}

webrtc/modules/video_coding/packet_buffer.cc

diff --git a/webrtc/modules/video_coding/packet_buffer.cc b/webrtc/modules/video_coding/packet_buffer.cc
index 8b6de04..715a173 100644
--- a/webrtc/modules/video_coding/packet_buffer.cc
+++ b/webrtc/modules/video_coding/packet_buffer.cc
@@ -251,14 +251,14 @@
       // Find the start index by searching backward until the packet with
       // the |frame_begin| flag is set.
       int start_index = index;
+      size_t tested_packets = 0;
 
       bool is_h264 = data_buffer_[start_index].codec == kVideoCodecH264;
       bool is_h264_keyframe = false;
       int64_t frame_timestamp = data_buffer_[start_index].timestamp;
 
-      // Since packet at |data_buffer_[index]| is already part of the frame
-      // we will have at most |size_ - 1| packets left to check.
-      for (size_t j = 0; j < size_ - 1; ++j) {
+      while (true) {
+        ++tested_packets;
         frame_size += data_buffer_[start_index].sizeBytes;
         max_nack_count =
             std::max(max_nack_count, data_buffer_[start_index].timesNacked);
@@ -278,6 +278,9 @@
           }
         }
 
+        if (tested_packets == size_)
+          break;
+
         start_index = start_index > 0 ? start_index - 1 : size_ - 1;
 
         // In the case of H264 we don't have a frame_begin bit (yes,
@@ -345,19 +348,30 @@
   size_t index = frame.first_seq_num() % size_;
   size_t end = (frame.last_seq_num() + 1) % size_;
   uint16_t seq_num = frame.first_seq_num();
-  while (index != end) {
+  uint8_t* destination_end = destination + frame.size();
+
+  do {
     if (!sequence_buffer_[index].used ||
         sequence_buffer_[index].seq_num != seq_num) {
       return false;
     }
 
-    const uint8_t* source = data_buffer_[index].dataPtr;
+    RTC_DCHECK_EQ(data_buffer_[index].seqNum, sequence_buffer_[index].seq_num);
     size_t length = data_buffer_[index].sizeBytes;
+    if (destination + length > destination_end) {
+      LOG(LS_WARNING) << "Frame (" << frame.picture_id << ":"
+                      << static_cast<int>(frame.spatial_layer) << ")"
+                      << " bitstream buffer is not large enough.";
+      return false;
+    }
+
+    const uint8_t* source = data_buffer_[index].dataPtr;
     memcpy(destination, source, length);
     destination += length;
     index = (index + 1) % size_;
     ++seq_num;
-  }
+  } while (index != end);
+
   return true;
 }